*** Article Update ***
Authors Note (Nov 2018): Apparently Data Custodian is actually a Data Leak PreventIon and Data Transparency product that allows users of this SaaS product to monitor and manage access to cloud solutions. Very similar to
Cloud Access Service Broker (CASB), but according to SAP is a far more powerful with more features.
"Today, I’m excited to announce that
SAP Data Custodian, a SaaS offering from SAP, will soon become
available on Azure. SAP Data Custodian combines Azure’s built-in compliance controls and the deep expertise of SAP to provide customers end-to-end visibility of their SAP data on Azure and an easy to use set of data governance controls. This will help customers to fulfill their responsibility for data governance, segregation of oversight duties, and achieve independent verification."
_______________________________________________________________________
Update on SAPPHIRE 2017: Link below:
"Google and SAP have collaborated on an innovative approach to address enterprise concerns around data protection and privacy while continuing to offer enterprises the flexibility and power of Google’s cloud platform. In the Google booth, at SAPPHIRE NOW, we have demos showcasing our vision around how enterprises can leverage SAP’s expertise and partnership with Google to gain significantly greater visibility into how their data is managed, accessed and protected on GCP"
_______________________________________________________________________
*** Original Article (March 2017) ***
When SAP announced its
strategic partnership with Google Cloud Platform, Diane Green (Google Cloud Chief) said that they are working on how SAP can become "
data custodian of customer data that’s stored in GCP." This is a interesting comment, and leads me to make some predictions here.
Firstly, we would need to define what is a data custodian.
ISACA simply just says "The individual(s) and department(s) responsible for the storage and safeguarding of computerized data".
However, this
definition is much clearer here:
"Many data custodians are essentially database administrators. They focus on the "how" rather than the "why" of data storage. They may do things like structure or restructure a relational database system, work with middleware to serve a central data warehouse, or provide schemes or workflows that show how databases are structured. They are the IT people of the data government governance team, the people that are asked questions about the implementation of a business plan to store data.."
The other important role is the Data Owner. For example, the typical enterprise customer that subscribes to SAP's SaaS offering
S/4 HANA Public Cloud,
Successfactors,
Concur,
Ariba or
Fieldglass would be considered the
Data Owner. They would have complete legal rights to the data. They would create, modify, delete or control access to it. The customer could also assign, share or give privileges to third-parties as required.
Currently,
GCP is just offering the HANA database on BYOL today. This does not include the SaaS offerings as above. But with this strategic partnership, it is entirely possible that SAP may decide to run its whole SaaS offering there.
Markus Riedinger from SAP has said in a
Openstack Day presentation that its private cloud operations are totally stretched and are having difficulties to scale with increasing demands.
From a perspective of hyper-scale public cloud providers like Amazon AWS, Microsoft Azure, and Google Cloud, SAP will not go head-on-head with them. Rather, it will be beneficial for it to partner with them. SAP and HANA software can run today on AWS and Azure on a BYOL basis, but this strategic partnership with Google seems more interesting.
In fact, during SAPPHIRE 2016, SAP had announced it was embracing Cloud Foundry and mentioned that
SAP Cloud Platform could be running on other data-centers other than SAP's own. This is what SAP calls "multi-cloud enabled". And correspondingly,
GCP joined Cloud Foundry Foundation on December 2016
Let's peel the layers here in a hypothetical model of cloud service model before we delve into the data custodian impacts with GCP (
please feedback your views)
Google Cloud Platform will be the IaaS provider, taking care of physical security at the datacentre to encryption at the storage level. In the middle (purple), there will other Google Cloud platform services like Big Data and Machine Learning while API integration and IDM services can be with SAP Cloud Platform providing security identity authentication and single-sign on services.
Security at the operating system , database and middleware layers will likely reside with SAP. If assuming SAP can
containerize their applications, then likely the application binaries and libraries will encapsulated within
Kubernetes or Cloud Foundry Container. Not sure where SAP and GCP will jointly go on this in the future.
What major considerations would enterprise customers will need to think about when migrating to these SAP's SaaS cloud offerings on GCP from the
data perspective?
- Legal and Regulatory: Failure to comply to requirements as specified could result significant penalties from relevant authorities. The issue here is that there are two third-party providers instead of one. SAP for software layer - SaaS (business logic, runtime libraries and databases) since it operates the SaaS service, while Google is responsible for infrastructure - IaaS (compute, storage, network and datacenter)
- Contractual: Likewise, the terms of agreement in the SaaS contract will need to spell out whose responsibilities are for data privacy, security, separation, encryption and disposal for the different layers of service.
- Data Breach/Loss: Who would cover responsibilities and liabilities in the event of an information security incident occurs? This would definitely be a point of contention.
I am sure that SAP being part of the
Cloud Security Alliance would be adhering to the cloud security standards, guidelines and frameworks.
My guess is as good as yours until
SAPPHIRE 2017 : 16-18 May 2017 where more details are expected to surface.
Other Relevant Articles on SAP Technical Community
Other Relevant Articles on SAP Technical Community
SAP Customer Center of Excellence for Azure
SAP Customer Center of Excellence for Azure: Govern, Design, Innovate & Build
SAP Center of Excellence for Azure: Sustain & Run
Microsoft Cloud Operating Model & SAP on Azure Migration Scenarios
SAP IT Service Operations Management on Azure
SAP Security Operations on Azure
SAP Expert Role Guide to Microsoft Azure Skills and Certification
Exam Study Resources for AZ-120 Planning and Administering Microsoft Azure for SAP Workloads.
Worst SAP Production Outage Disasters
This post was
originally posted on Linkedin
I blog this article to share information that is intended as a general resource and personal insights. Errors or omissions are not intentional. Products and services mentioned in this article are not endorsements. Opinions are my own and not the views of my employers (past, present or future) or any organization that I may be affiliated with. Your comments to my posts are your views.Content from third party websites, SAP and other sources reproduced in accordance with Fair Use criticism, comment, news reporting, teaching, scholarship, and research.